Virus Database

MS.748

Description MS.748

This is a very dangerous non-memory resident parasitic virus. It searches for .COM files, and writes itself to the end of the files. On Saturday at 5 a.m., it overwrites .EXE files with a little program that erases random sectors of the hard drive, and displays randomly selected letters. The virus contains the text string:
MS*.COM *.EXE

Check other viruses! Be aware! Use Antiviral Software

Backdoor.Afcore.q

Description Backdoor.Afcore.q
Afcore is a backdoor Trojan program that appears as a Windows application file (.dll file) with a size of about 110KB. The Trojan has numerous functions that give 'evildoers' almost full control of victim computers.
Infected message body text contains the following:
If you read this, then this program was probably stolen from our laboratory. Author of this software is not responsible for any harm that may be caused by incompetent or malicious persons who use this software possibly running on your machine. Therefore, please remove this software as soon as possible. Click the "Start" menu, select "Run", enter there: rundll32 ,Uninstall and click "OK"
Upon being launched (executed) the backdoor program installs itself into the supplemental file stream of the NTFS that is associated with the system32 catalog system.
The backdoor registers itself into the system registry auto run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun (assigned name) =
rundll32 (path to the backdoor program),(options)

The file name is formed from a combination of arbitrary symbols.
The backdoor program has several options that it can use:
DebugBreakpoint
DebugInit
Init
InitService
SpawnedInit
Uninstall

To remotely uninstall itself from victim machines the backdoor uses the following command:
rundll32 ÄÉÓË:\%windir%system32:(name of the backdoor.dll file),Uninstall

When the uninstall command is sent, the afcore virus uninstalls itself from the system registry and remaining only in the file stream and is no longer managed by the start system. To remove the afcore backdoor program from the file stream it is necessary to use a special utility.

Backdoor.Agent.b

Description Backdoor.Agent.b

Agent.b is a classic Trojan backdoor that opens the infected machine to remote access. This backdoor is a Windows PE exe file written in Visual C.
Agent.b is packed with two packers: Morphine and UPX. The packed file size is 38 KB and unpacked - 104 KB.
Agent.b is controlled over IRC channels. The controller can download and execute files on the infected machine.
Payload
Agent.b opens a random port in the 1xxx range for about a second, and then continues opening the next port in ascending numerical order. The infected machine sees only ports 'blinking' in ascending order.
Removal
If you know the name of the file containing the Backdoor, you can delete it after you stop the active processes in RAM using the Windows Task Manager. Once you have deleted the process, you can then delete the file.
If you cannot identify the name of the active process, you need to install a firewall, such as Kaspersky Anti-Hacker, which will monitor open ports and provide a log.

Home